Information Security in respect to Backups and Archive

Paul HowardManaging Director

DISUK Limited

Information Security

• Firewalls

• Intrusion Prevention/Detection

• Content Monitoring/Filtering

• VOIP Security

• Wireless/Mobile Security

• Anti Virus

• Biometric access

• Smartcards

• Physical Security

Tape!

• Lowest cost for long term data storage.

• A “Green” product.

• LTO6 that is shipping today has 2.6 TBytes uncompressed capacity

• The reports of my death are greatly exaggerated!

Tape!

Risk Assessment

What is at risk Customers information Business information Intellectual PropertyShare PriceReputationProfit

TRUST

• Investigate vulnerabilities

• Balance regulatory risk with Business Risk

• Review possible consequential losses

• Real versus perceived risk!

• Who is responsible for Security?

Risk Assessment

Everyone!

Risk Assessment

What is on your humble tape?

Source www.privacyrights.org & www.datalossdb.org

Date Companies Involved Reason Records

Jan 6, 2011 Heraeus Incorporated, NewYork Stolen Tapes 10,000

Jan 19, 2011 Abbott Medical Optics, Inc. Stolen Tapes 514

Jan 24, 2011 Grays Harbor Pediatrics, Aberdeen, Washington Stolen Tapes 12,000

Jan 29, 2011 Texas Health Harris Methodist Hospital - Azle Lost Tape 9,922

Feb 12, 2011 Jacobi Medical Center, North Central Bronx Hospital, Tremont Health Center Stolen Tapes 1,700,000

Mar 1, 2011 Cord Blood Registry, San Francisco, CA Stolen Tapes 300,000

April 4 ,2012 Phoenix Ireland, Scottish Provident Ireland Lost Tape 62,000

July 29,2011 Belmont Savings Bank Lost Tape 13,000

Oct 7, 2011 Nemours Childrens Clinic, Nemours Foundation Lost Tapes 1,600,000

Sep 28, 2011 Science Applications International Corp (SAIC), Tricare Management Activity Stolen Tapes 5,117,799

Oct 28, 2011 ValueOptions, Inc., National Elevator Industry, United Parcel Service Lost Tape 10,600

Nov 25, 2011 Good News Garage – LSS Inc Stolen Tapes Unknown

Dec 14,2011 Welcome Financial Services , Cattles Group, Shopacheck Lost Tapes 1,400,000

Total for 2011 10,235,835

It really is a problem and costs companies millionsLosses on tape in 2011

Source www.privacyrights.org & www.datalossdb.org

Date Companies Involved Reason Records

March 1, 2012 TD Bank, N.A. Lost Tapes 267,000

March 29, 2012 IBM, California Department of Child Support Services, FedEx Lost Tapes 800,000

August 13, 2012 Kindred Healthcare Inc. Stolen Tape 1,504

October 24, 2012 Vermont State Employee's Credit Union Lost Tapes 85,000

November 5, 2012 Women & Infants Hospital, Rhode Island Lost Tape 14,004

December 5, 2012 IBM, O2 Lost Tape Unknown

December 7,2012 United States Secret Service Lost Tape Unknown

2012 losses to date 1,167,508

It really is a problem and costs companies millionsLosses on tape in 2012

Washington (CNN) -- It might remind you of the new smash-hit James Bond movie "Skyfall", in which the villains steal a device with top secret information on the identities of British agents. But in this case, sensitive data was left on a subway train.

Law enforcement and congressional sources tell CNN a contractor working for the U.S. Secret Service accidentally left a pouch containing two computer backup tapes on a train in Washington's Metrorail subway system.

The tapes contained very sensitive Secret Service personnel and investigative information, and if accessed could be highly damaging, according to sources.

The contractor was transporting the pouch from Secret Service headquarters in Washington to a now-closed data facility in Maryland. The sources say the contractor got off a Metro train, and later realized the pouch had been left behind. The Secret Service and the Metro police were contacted, and an aggressive search took place.

According to one source, the tapes have not been recovered.

The incident occurred nearly five years ago, in February 2008. It is now the subject of an investigation by the Department of Homeland Security's Office of Inspector General, according to a congressional source.

Eric O'Neill, a former FBI counterespionage agent, said, "Some of the information could cause lives to be at risk, if someone wanted to get at the families of a high-level government worker or someone they perceived as being someone who could work against, say, a terrorist cell."

Secret Service tapes lost on train under investigationBy Brian Todd, John King and Joe Johns, CNN

December 8, 2012 -- Updated 0107 GMT (0907 HKT)

Source www.privacyrights.org & www.datalossdb.org

Date Companies Involved Reason Records

1st February 2013 First National Bank of Southern California Stolen Tape Unknown

4th March 2013 Kindred Healthcare Inc. (Kindred Transitional Care and Rehabilitation Stolen Tape 716

2013 losses to date 716

It really is a problem and costs companies millionsLosses on tape in 2013

Date Companies Involved Reason Records

March 2007 Independent Living Fund Stolen Tape 30,000June 2007 Bank of Scotland Lost media 62,000July 2007 First Response Finance Ltd Stolen Media Not givenNovember 2007 HMRC Lost Media 25,000,000December 2007 HMRC Lost Tapes 6,500April 2008 HSBC Lost Media 370,000June 2008 Medisure (Insurance Co.) Stolen Tapes Not givenSeptember 2008 St Paul's surgery in Winchester Stolen Tapes 15,000August 2009 Zurich Financial Services Lost Tapes 641,000January 2010 Northern Ireland Electricity Lost Tape 12,799 April 2011 Phoenix Ireland Lost Tape 62,000January 2012 Cattles Limited Lost Tapes 1,400,000December 5, 2012 IBM, O2 Lost Tape Unknown

UK Reported Removable Media data losses

Source www.privacyrights.org & www.datalossdb.org

It really is a problem and costs companies millions

2005 2006 2007 2008 2009 2010 20110

50

100

150

200

250$214

$138

$182$197 $204$202

$194

US figures for average cost per record lost

Figures from the Ponemon Institute LLC

2007 2008 2009 2010 2011 2012£0

£10

£20

£30

£40

£50

£60

£70

£80

£47

£60£64

£71

£79

UK figures for average cost per record lost

?

Figures from the Ponemon Institute LLC

• These figures show the number of records lost or compromised but we need to convert these into financial impact figures to look at the actual costs of a loss. – According to a study conducted by the Ponemon Institute, an independent information

practices research group, data breaches cost businesses an average of $214 per customer record in 2010, up from $204 in 2009.

– This equates to the costs of the Bank of New York Mellon loss costing them almost one billion US Dollars

Is it really a problem we should worry about?

How are they getting lost?

All of these couriers have been involved in the loss of data on tape

24 August 2010

Zurich Insurance fined £2.3m over customers' data loss Zurich Insurance says its loss of customer information was "unacceptable" The UK operation of Zurich Insurance has been fined £2.27m by the Financial Services Authority (FSA) for losing personal details of 46,000 customers.

It is the highest fine levied on a single firm for data security failings.Margaret Cole, the FSA's director of enforcement and financial crime, said: "Zurich UK let its customers down badly.“ Stephen Lewis, chief executive of Zurich UK, said: "This incident was unacceptable."

The data on policyholders, including in some cases bank account and credit card information, went missing in August 2008. However, Zurich did not become aware of the loss until a year later, when it then began notifying customers. The information went missing during a routine transfer to a data storage centre in South Africa.

NEWS Business

'Oblivious' The FSA said in a statement: "Zurich UK failed to take reasonable care to

ensure it had effective systems and controls to manage the risks relating to

the security of customer data resulting from the outsourcing arrangement.

"The firm also failed to ensure that it had effective systems and controls to

prevent the lost data being used for financial crime."

30th March 2012

California says IBM, Iron Mountain lost State Agency data.International Business Machines Corp. and Iron Mountain Inc. lost track of storage devices with data from the California Department of Child Support Services involving more than 800,000 people, the state said.

The information included names, addresses, Social Security numbers, drivers’ license numbers, heath-insurance providers and other data, California said today in a statement. The state said it learned of the missing storage devices on March 12.

The loss or theft of computers and storage devices is a common way data breaches happen. Since 2005, there have been 837 breaches affecting almost 169 million records involving lost, discarded or stolen laptops, smartphones and various portable data-storage devices, according to a database of publicly disclosed breaches maintained by Privacy Rights Clearinghouse.

Cattles apologises for customer data loss 6 January 2012Cattles has expressed “deep regret” at losing personal data on 1.4 million customers and its own former staff.Two IT back-up storage tapes were discovered missing from Cattles’ Kingston House building in Birstall, West Yorkshire, at the end of November 2011.The tapes contain personal data relating to 1.4 million customers, limited to names and addresses for 800,000 but also including date of birth and payment history for 600,000. The tapes also include HR data relating to staff in employment with the Cattles Group up to October 2010.Cattles has issued a statement which said a process was underway to inform affected customers and former employees.The Information Commissioners Office has also confirmed it is investigating the loss, and it has been reported that the data concerns Welcome Financial Services and Shopacheck, both subsidiaries of Cattles.Cattles’ statement said: “There is no evidence that the information has fallen into the wrong hands or been used maliciously.” However, Cattles takes its obligations to protect personal data of its customers and staff extremely seriously and we deeply regret what has happened. “We have employed a specialist data security firm with extensive experience in financial services, to review data security across the group and advise on any necessary improvements.”

Cattles apologises for customer data loss 6 January 2012Cattles has expressed “deep regret” at losing personal data on 1.4 million customers and its own former staff.Two IT back-up storage tapes were discovered missing from Cattles’ Kingston House building in Birstall, West Yorkshire, at the end of November 2011.The tapes contain personal data relating to 1.4 million customers, limited to names and addresses for 800,000 but also including date of birth and payment history for 600,000. The tapes also include HR data relating to staff in employment with the Cattles Group up to October 2010.Cattles has issued a statement which said a process was underway to inform affected customers and former employees.The Information Commissioners Office has also confirmed it is investigating the loss, and it has been reported that the data concerns Welcome Financial Services and Shopacheck, both subsidiaries of Cattles.Cattles’ statement said: “There is no evidence that the information has fallen into the wrong hands or been used maliciously.” However, Cattles takes its obligations to protect personal data of its customers and staff extremely seriously and we deeply regret what has happened. “We have employed a specialist data security firm with extensive experience in financial services, to review data security across the group and advise on any necessary improvements.”

An ICO spokesperson added: “We have recently been informed of a possible data breach which may involve Welcome Financial Services Limited including its business Shopacheck. We will be making enquiries into the circumstances of the alleged breach of the Data Protection Act before deciding what action, if any, needs to be taken.”

Regulations.

• Sarbanes-Oxley (SoX ) - standards for all U.S. public company boards, management, and public accounting firms.

• Gramm-Leach-Bliley Act – for financial institutions

• Health Insurance Portability and Accountability Act (HIPAA) – The healthcare Industry

• Payment Card Industry Data Security Standard (PCI DSS) – Anyone who is processing, storing, or transmitting payment card data

• Control Objectives for Information and related Technology (COBIT)

• State Security Breach Notification Laws

What forces companies to admit they have lost data and costs so much money?

Regulations.

• Data Protection Act.

• Computer Misuse Act

• Payment Card Industry Data Security Standard (PCI DSS) – Anyone who is processing, storing, or transmitting payment card data

• Privacy and Electronic Communications Regulations

• Regulation of Investigatory Powers Act 2000

• EU Data Protection Directive

• Financial Services Authority - Data Security in Financial Services

What forces companies to admit they have lost data and costs so much money?

Avoid turning a breach into a disaster!

Press releases

Press releasesAvoid turning a breach into a disaster!

Get a press release written and signed off by the incident response team, the board or senior management giving detailed thought as to the impact and what action you will take.

Avoid the normal pitfalls,

“industrial strength tape technology would be needed to read the tapes”,

“we are secured by obscurity”,

“thieves would require specialist systems knowledge to understand our data”,

“we have no reason to believe the data has been misused”.

“we believed it was an acceptable risk!”

“We didn’t lose the tapes, it was the courier”.

“We didn’t consider the data was sensitive”.

Avoid turning a breach into a disaster!

• We need to ensure that only authorised people can read or restore the data from tape!

– Internally this is quite straightforward as we control the system and can give access only to those who need it when they need it.

– Externally these rules have no control at all! A different approach is required to protect information on tapes removed from site for any reason.

What can we do?

• The only acceptable solution is to encrypt data being written to tape so that it is only recoverable with the keys it was written with.

• Tapes that contain only encrypted data are not deemed to be lost as there is no readable information contained on them.

• Disclosure is not therefore usually required.

What can we do?

– Software– Hardware

• In the tape drive

• Between drive and system

How can we do it?

Available from V6R1 onwards • Encryption for Any Tape Device, Tape Library or Virtual Tape– AES Encryption– Data Encrypted – Not Tape Labels– Capability to Encrypt Each File Via Different Key• Requires i5/OS option 44 (Encrypted Backup Enablement)– Requires Tape Management Application to EnableEncryption– Recommend BRMS• BRMS Advanced Feature Required– Not Compatible with Hardware Encrypting Tape Devices

Software Encryption Considerations

Software Encryption Considerations

• Capacity– Loss of Compaction May Result in More Tape Cartridges• CANNOT Encrypt– Operating system (*SAVSYS, *SAVSYSINF, *SAVSECDTA, *SAVCFG)– QBRM, QUSRBRM, QSYS2, QGPL and QUSRSYS– BRMS Will Not Encrypt “Q” Libraries• Standard Labelled Tapes Only• Cannot Use with Tape Write Error Recovery Enabled• If Key Store File Lost – Data is Unrecoverable• Can be used with existing tape drives and media

• V6R1 BRMS offers a software-based encryption function. • To use this function, customers need the BRMS Advanced Feature (5761-BR1 option 2) and i5/OS

Encrypted Backup Enablement (5761-SS1 option 44 ). • The encryption offered is software-based and can write saves to any tape drive, not just the encryption-

capable tape drives. If the customer has an encryption-capable tape drive, its encryption features are not used for the BRMS-based software encryption. Customers should leave the tape drive with encryption turned-off, otherwise they will double-encrypt their tapes

• BRMS-based software encryption will likely require more tapes (possibly 3 times as much media), since encrypted data does not compact very well.

• The following objects cannot be encrypted: *SAVSYS, *SAVSECDTA, *SAVCFG, *IBM, and any libraries starting with a Q

• IBM does not support encryption on optical or virtual optical devices • Encryption is specified in the media policy, and can be turned on/off by backup item in the control group • The customer is responsible for managing the keys via the encryption functions in the operating system.

The keystore is placed in the QUSRBRM library so BRMS can back it up for you. The BRMS screens and recovery reports will indicate the keystore file and key record label used for each save

• This function is targeted at customers with a small amount of data to encrypt, or customers with a large backup window, since there is a performance impact. Customers who need encryption but require the fastest backup speeds should plan to use the encryption-capable tape hardware such as TS1120 and LTO4 instead since it has very minimal performance impact.

Software Encryption Considerations

BRMS-based encryption(Compared with regular tape saves) Performance

Performance CPU Utilization

Source file saves Minimal impact approximately double

Usermix Saves approximately 30% degradation approximately double

Largefile Saves approximately 50% degradation Approximately 3-5* increase

Source file restores minimal impact Approximately 40% increaseUsermix restores approximately 25% degradation Approximately 40% increaseLargefile restores approximately 4% degradation Approximately 3-5* increase

Performance tests were run on an i570 and an i570 MMA 4-way system with EXP24 disk and LTO3 tape

Performance details are available in the V6R1 Performance Capabilities Reference, pg 239-240 (PDF, 1.19MB)

– Hardware - in the drive• Allows for high speed operation

• Limited to certain drive types

• Disruptive installation

• Only works on certain media types

• Requires special software to control and manage keys - EKM

• Cannot encrypt all data on the system as a host with an O/S, backup software and key management must be available to enable encrypted restores

• Restrictive in a shared DR environment

How can we do it?

Encryption Key Manager Setup Tasks• This topic provides the setup tasks required for the Encryption Key Manager.• Before you can encrypt tapes, the Encryption Key Manager must first be configured and running so that it

can communicate with the encrypting tape drives. The Encryption Key Manager need not be running while tape drives are being installed, but it must be running in order to perform encryption.

• These are the tasks you must perform before using the Encryption Key Manager. See IBM® Encryption Key Manager component for the Java™ platform Installation, Planning, and User's Guide for details.

• Decide what system platforms to use as Encryption Key Manager servers.• Upgrade the server operating system if necessary. • Upgrade the Java Virtual Machine if necessary. • Install Java Unrestricted Policy Files. • Upgrade the Encryption Key Manager JAR. This can be found at the IBM website

http://www.ibm.com/support/docview.wss?&uid=ssg1S4000504 (or visit http://www.ibm.com/servers/storage/support/tape/ts1120/downloading.html and click downloads and look for IBM Encryption Key Manager for the Java platform).

• Decide on keystore type. • Create keys, certificates, and key groups. • If necessary, import keys and certificates (See previous step).• Define the configuration properties file. • Define tape drives to the Encryption Key Manager or set drive.acceptUnknownDrives configuration

property value on. • Start the Encryption Key Manager server. • Start the command line interface client.

EKM is only to be utilized for older tape generation products. The IBM Encryption Key Manager for Java platform (EKM) is responsible for assisting in securing vital data. The EKM works with IBM encryption-enabled tape drives in generating, protecting, storing and maintaining encryption keys that are used to encrypt information being written to and decrypt information being read from tape media. EKM is a part of the IBM Java run time environment and uses IBM Java security components for the cryptographic capabilities.

Tivoli Key Lifecycle Manager (TKLM) is IBM’s strategic new platform for storage and delivery of encryption keys to encrypting storage end-point devices.

IBM Tivoli Key Lifecycle Manager V2.0 supports the following:AIX V5.3, 64-bit, Technology Level 9, Service Pack 2 and AIX 6.1 (A 64 bit AIX kernel is required for both versions.)Red Hat Enterprise Linux AS V4.0 on x86, 32-bitSUSE Linux Enterprise Server V9 on x86, 32-bit, V10, Service Pack 2 on x86, 32-bit, 64 bit (in 32-bit mode application), and V11 (32-bit and 64-bit in 32 bit mode)Sun Server Solaris 9 and 10 (SPARC 64-bit) Note: Tivoli Key Lifecycle Manager runs in a 32-bit JVM.Microsoft Windows Server 2003 R2, (32-bit Intel and AMD processors)Microsoft Windows Server 2008 R2 (64 bit for all Intel and AMD processors)

– Hardware Appliance – between the server & drive

• Available for all drive types

• Available on all system types

• Non-disruptive installation

• Works with existing media.

• No changes, special software or drivers required

• Keys held securely in appliance

How can we do it?

Confidentiality Integrity

Simplicity Availability

Removable Storage Security

Removable Storage SecurityWhat is needed?

Confidentiality Integrity

Simplicity Availability

Removable Storage Security

Removable Storage SecurityWhat is needed?

Confidentiality Integrity

Simplicity Availability

Removable Storage Security

Removable Storage SecurityWhat is needed?

Confidentiality Integrity

Simplicity Availability

Removable Storage Security

Removable Storage SecurityWhat is needed?

Keep it Simple

If it is complex people will try to avoid using it!

Keys

• Why so much fuss about keys?• EKM• TLKM• KMIP• Goodbye, proprietary complexity. Given KMIP-compatible tools,

organizations will be able to manage their many encryption keys from a single point of control—improving security, simplifying complexity and achieving regulation compliance more quickly and easily. That's a huge improvement over the current approach of using many different encryption key management tools for many different business purposes and IT assets.

• Only a few small libraries or small database and plenty of time available for backup AND restore – Software

• Medium size system with less than 8 tape drives – Appliance

• Large corporate datacentre with large number of modern drives and own disaster recovery site – Drive encryption with EKM and BRMS

• Multiple sites with just a few drives on each but need to secure all data – Appliance

• Multiple sites with medium number of drives on each site and good WAN connections between sites and DR site - Drive encryption with EKM and BRMS

• Older legacy systems running older technology drives or older OS versions - Appliance

How can we do it?

UK BUSINESS LEADERS’

VERDICT ON IT SECURITY

• 85% state that information security is not fulfilling business needs

• 88% report an increase in external threats

• 57% report an increase in internal threats

• 61% cite a lack of budget as main hurdle

• 57% of businesses view information security resources as lacking necessary skills

• 62% do not align information security to enterprise architecture or business process

• 38% do not align to organisational risk appetite

Source: Ernst & Young

Questions

e-mail: ph@disuk.com

Web: www.disuk.com